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NATIONAL FOREWORD 

This Indian Standard (Part 4) which is identical with lEC 61508-4 : 1998 'Functional safety of 
eiectrical/electronic/programmable electronic safety- related systems — Part 4: Definitions and 
abbreviations' issued by the International Electrotechnical Commission (lEC) was adopted by the 
Bureau of Indian Standards on the recommendation of the Industrial Process Measurement and 
Control Sectional Committee and approval of the Electrotechnical Division Council. 

The text of lEC Standard has been approved as suitable for publication as an Indian Standard without 
deviations. Certain conventions are, however, not identical to those used in Indian Standards. 
Attention is particularly drawn to the following: 

a) Wherever the words 'International Standard' appear referring to this standard, they should 
be read as 'Indian Standard'. 

b) Comma (,) has been used as a decimal marker, while in Indian Standards, the current 
practice is to use a point (.) as the decimal marker. 

In this adopted standard, reference appears to certain International Standards for which Indian 
Standards also exist. The corresponding Indian Standards, which are to be substituted in their 
respective places, are listed below along with their degree of equivalence for the editions indicated: 



International Standard 

lEC 60050-191 : 1990 International 
Electrotechnical Vocabulary — 
Chapter 191: Dependability and quality 
of service 

lEC 60050-351 : 1975 International 
Electrotechnical Vocabulary — 
Chapter 351 : Automatic control 

lEC 61508-1 : 1998 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 1 : General requirements 

lEC 61508-2 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 2: Requirements for electrical/ 
electronic/programmable electronic 
safety- related systems 

lEC 61508-3 : 1998 Functional safety 
of electrical/electronic/programmable 
electronic safety- related systems — 
Part 3: Software requirements 

lEC 61508-5 : 1998 Functional safety 
of electrical/electrontc/programmable 
electronic safety-related systems — 
Part 5: Examples of methods for the 
determination of safety integrity levels 



Corresponding Indian Standard 

IS 1885 (Part 39) : 1999 Electrotechnical 
vocabulary: Part 39 Dependability of 
electronic and electrical items {second 
revision) 

IS 1885 (Part 75) : 1993 Electrotechnical 
vocabulary: Part 75 Automatic control 

IS/IEC 61508-1 : 1998 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 1 General 
requirements 

IS/IEC 61508-2 : 2000 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 2 Requirements 
for electrical/electronic/programmable elec- 
tronic safety- related systems 

IS/IEC 61508-3 : 1998 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 3 Software 
requirements 

IS/IEC 61508-5 : 1998 Functional safety of 
electrical/electronic/programmable electronic 
safety-related systems: Part 5 Examples of 
methods for the determination of safety 
integrity levels 



Degree of 
Equivalence 

Technically 
Equivalent 



Identical 



do 



do 



do 



do 
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International Standard 



lEC 61508-6 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systems — 
Part 6: Guidelines on the application of 
lEC 61508-2 and lEC 61508-3 

lEC 61508-7 : 2000 Functional safety 
of electrical/electronic/programmable 
electronic safety-related systenns — 
Part 7: Overview of techniques and 
measures 

ISO 8402 : 1994'' Quality management 
and quality assurance — Vocabulary 

ISO/IEC Guide 51 : 1990'' Guidelines 
for the inclusion of safety aspects in 
standards 



Corresponding Indian Standard 

IS/IEC 61508-6 : 2000 Functional safety of 
electrical/eiectronic/programmable electronic 
safety-related systems: Part 6 Guidelines 
on the application of lEC 61508-2 and 
I EC 61508-3 

IS/IEC 61508-7 ; 2000 Functional safety of 
electrical/electronic/ programmable electronic 
safety-related systems: Part 7 Overview of 
techniques and measures 

IS/ISO 9000 : 2000 Quality management 
systems — Fundamentals and vocabulary 

IS/ISO/IEC Guide 51 : 2005 Safety aspects 
— Guidelines for their inclusion in standards 



Dagree of 
Equivalence 

Identical 



do 



Technically 
Equivalent 

do 



The technical committee has reviewed the provisions of the following International Standards referred 
in this adopted standard and has decided that they are acceptable for use in conjunction with this 
standard: 



International Standard 
lEC Guide 104: 1997 

ISO/IEC 2382-14; 1998 



Title 

Guide to the drafting of safety standards, and the role of Committees with 
safety pilot functions and safety group functions 



Data processing — Vocabulary 
availability 



Part 1 4; Reliability, maintainability and 



Only the English language text of the International Standard has been retained while adopting it in this 
Indian Standard, and as such the page numbers given here are not the same as in the lEC Standard. 

For the purpose of deciding whether a particular requirement of this standard is complied with, the 
final value, observed or calculated, expressing the result of a test, shall be rounded off in accordance 
with IS 2 : 1960 'Rules for rounding off numerical values (revised)'. The number of significant places 
retained in the rounded off value should be the same as that of the specified value in this standard. 



" Since revised in 2000. 
^' Sirwe revised In 2005. 
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INTRODUCTION 



Systems comprised of electrical and/or electronic components have been used for many years 
to perform safety functions in most application sectors. Computer-based systems (genencally 
referred to as programmable electronic systems (PESs)) are being used in all application 
sectors to perform non-safety functions and, increasingly, to perform safety functions. If 
computer system technology is to be effectively and safely exploited, it is essential that those 
responsible for making decisions have sufficient guidance on the safety aspects on which to 
make those decisions. 

This International Standard sets out a generic approach for all safety lifecycle activities for 
systems comprised of electrical and/or electronic and/or programmable electronic components 
(electncat/electronic/ programmable electronic systems (E/E/PESs)) that are used to perform 
safety functions. This unified approach has been adopted in order that a rational and consistent 
technical policy be developed for all electrically baseo safety-related systems. A major 
objective is to facilitate the development of application sector standards. 

In most situations, safety is achieved by a number of protective systems which rely on many 
technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic, 
programmable electronic). Any safety strategy must therefore consider not only all the 
elements withm an individual system (for example sensors, controlling devices and actuators) 
but also all the safety-related systems making up the total combination of safety-related 
systems. Therefore, while this International Standard is concerned with electrical/elec- 
tronic/programmable electronic (E/E/PE) safety-related systems, it may also provide a 
framework within which safety-related systems based on other technologies may be 
considered. 

It IS recognised that there is a great variety of E/E/PES applications in a variety of application 
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular 
application, the required safety measures will be dependent on many factors specific to the 
application This International Standard, by being generic, will enable such measures to be 
formulated m future application sector international standards. 

This International Standard 

- considers all relevant overall, E/E/PES and software safety lifecycle phases (for example, 
from initial concept, through design, implementation, operation and maintenance to 
decommissioning) when E/E/PESs are used to perform safety functions; 

- has been conceived with a rapidly developing technology m mind; the framework is 
sufficiently robust and comprehensive to cater for future developments; 

- enables application sector international standards, dealing with safely-related E/E/PESs, to 
be developed; the development of application sector international standards, within the 
framework of this International Standard, should lead to a high level of consistency (for 
example, of underlying principles, terminology, etc.) both within application sectors and 
across application sectors; this will have both safely and economic benefits; 

- provides a method for the development of the safety requirements specification necessary 
to achieve the required functional safety for E/E/PE safety-related systems; 



» 
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uses safety integrity levels for specifying the target level of safety integrity for the safety 
functions to be implemented by the E/E/PE safety-related systems; 

aaopts a nsk-based approach for the determination of the safety integrity level 
requirements; 

sets numerical target failure measures for E/E/PE safety-related systems which are linked 
to the safety integrity levels; 

sets a lower limit on the target failure measures, m a dangerous mode of failure, that can 
be claimed for a single E/E/PE safety-related system; for E/E/PE safety related systems 
operating m 

- a low demand mode of operation, the lower hmit is set at an average probability of 
failure of 10 " to perform its design function on demand. 

- a fiigh demand or continuous mode of operation, the lower hmit is set at a probability of 
a dangerous failure of 10 ^ per hour, 

NOTE - A single E'E'PE salely reialed syslcm aoes rio! nccpssaniy moan a smyle channel arrhilpclurc 

adopts a broad range of principles, techniques and measures to achieve functional safety 
for E/E/PE safety-related systems, but does not use the concept of fail sale which may be 
of value wfien the failure modes are well defined and the level of complexity is relatively 
low; the concept of fail safe was considered inappropriate because of the full range of 
complexity of E/E/PE safety-related systems that are within the scope of the standard 
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Indian Standard 

FUNCTIONAL SAFETY OF ELECTRICAL7 

ELECTRONIC/PROGRAMMABLE ELECTRONIC 

SAFETY-RELATED SYSTEMS 

PART 4 DEFINITIONS AND ABBREVIATIONS 
1 Scope 

1.1 This part of lEC 61508 contains the definitions and explanation of terms that are used in 
parts 1 to 7 of tnis standard 

1.2 The definitions are grouped under general headings so that related terms can be 
understood within the context of each other But it should be noted that these headings are not 
intended to add meaning to the definitions and m this sense the headings should be 
disregarded, 

1.3 lEC 61508-1. lEC 61508-2, lEC 61508-3 and lEC 61508-4 are basic safety publications, 
although this status does not apply m the context of low-complexity E/E/PE safety-related 
systems (see 3,4.4) As basic safety publications, they are intended for use by technical 
committees in the preparation of standaros m accordance with the principles contained m lEC 
Guide 104 and ISO/IEC Guide 51 One of the responsibilities of a technical committee is, 
wherever applicable, to make use of basic safety publications m the preparation of its own 
publications lEC 61508 is also intended for use as a stand-alone standard 

1.4 Figure 1 shows the overall framework for parts 1 to 7 of lEC 61508 and indicates the role 
that lEG 61508-4 plays 'n the achievement of functional safety for E/E/PE safety-related 
systems. 

NOTE - n me uSA a'^a Ca^aaa ^-^l: tie p'oposea cocess sector implementation o' lEC 61508 (i e lEC 61511) is 
puDisnea as a" nie-na; o"a stanaa'O n tue ^SA a'-o Canada existing national process safety standa^as based on 
EC 61508 (i e A\'S- SA Se^ 0' '9961 can oe aooea :o tne p'ocess sector instead of lEC 61508 
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Development of the overall safety 

requirements (concept, scope 
definition, hazard and risk analysis) ^ 
(E/E/PE safety-related systems, other } {PART 5 I 
technology safety-related systems and 

external risk reduction facilities) 

7. 1 to 7.5 
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Risk based approachet 

to the development of 

the safety integrity 

requirements 
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Allocation of the safety 

requirements to the E/E/PE 

safety-related systems 

7.6 
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Guidelines for the 
application of 
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Installation and commissioning 

and safety validation of E/E/PE 

safety-related systems 

7.13 and 7.14 



I 
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Operation and maintenance. 

modification and retrofit. 

decommissioning or disposal of 

E/E/PE safety-related systems 

7. ?5fO 7.7 7 
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requirements/ 



Definitions and 
abbreviations 
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Documentation 

Clause 5 and 
annex A 

\PApiT1\ ' 



Management of 
functional safety 

Clause 6 



[PARTI] 



Functional safety 
assessment 

Clause 8 
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Figure 1 Overall framework of this standard 
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2 Normative references 



The following normative documents contain provisions which, through reference m this text, 
constitute provisions of this part of lEC 61508. For dated references, subsequent amendments 
to, or revisions of, any of these publications do not apply However, parties to agreements 
based on this part of lEC 61508 are encouraged to investigate the possibility of applying the 
most recent editions of the normative documents indicated below. For undated references, the 
latest edition of the normative document referred to applies. Members of lEC and ISO maintain 
registers of currently valid International Standards. 

lEC 60050(1 91): 1990, International Electrotechnical Vocabulary (lEV) - Chapter 191: 
Dependability and quality of service 

lEC 60050(351)1975, International Electrotechnical Vocabulary (lEV) - Chapter 351: 
Automatic control 

lEC 61508-1:1998, Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 1: General requirements 

lEC 61508-2:—, Functional safety of electncal/electronical/programmable electronic safety- 
related systems - Part 2: Requirements for electrical/electronical/programmable electronic 
safety-related systems^) 

lEC 61508-3:1998, Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 3: Software requirements 

lEC 61508-5:1998. Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 5: Examples of methods for the determination of safety integrity levels 

lEC 61508-6: — , Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 6: Guidelines on the application of lEC 61508-2 and lEC 61508-3^'' 

lEC 61508-7:—, Functional safety of electrical/electronical/programmable electronic safety- 
related systems - Part 7: Overview of techniques and measures^^ 

lEC Guide 104:1997, The preparation of safety publications and the use of basic safety 
publications and group safety publications 

ISO/IEC 2382-14:1998. Data processing - Vocabulary - Part 14: Reliability, maintainability 
and availability 

ISO/IEC Guide 51 :1990, Safety aspects - Guidelines for their inclusion in standards 

ISO 8402:1994. Quality management and quality assurance - Vocabulary 



'I To be published 
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3 Definitions and abbreviations 

For the purposes of this International Standard, the following definitions and the abbreviations 
given in table 1 apply. 

Table 1 — Abbreviations used in this standard 



Abbrtviation 



Full expression 



Definition and/or explanation of term 



MooN 

MooND 
ALARP 
E/E/PE 
E/E/PES 

EUC 
PES 
PLC 
SIL 



M out of N channel architecture 

(tor example 1oo2 is 1 out of 2 channel 

architecture) 

M out of N channel architecture with diagnostics 

As low as IS reasonably practicable 

Electficai/electronic/programmabie electronic 

Electrical/electronic/programmable electronic 
system 

Equipment under control 

Programmable electronic system 

Programmable logic controller 

Safety integrity level 



Annex B of lEC 61508-6 

Annex B of lEC 61508-6 
Annex B of lEC 61508-5 
3 2.6 
333 

3.2.3 

332 

Annex E of lEC 61508-6 

356 



3.1 Safety terms 

3.1.1 
harm 

physical injury or damage to the health of people either directly or indirectly as a result of 
damage to property or to the environment 
(ISO/lEC Guide 51 1990 (modified)i 

3.1.2 
hazard 

potential source of harm [Guide 51 ISO/IEC:1990] 

NOTE - The term includes danger to persons ans.ng within a short time scale (for example fire and explosion) and 
also those that have a long-term effect on a persons health (for example, release of a toxic substance), 

3.1.3 

hazardous situation 

circumstance in which a person is exposed to hazard(s) 

3.1.4 
hazardous event 

hazardous situation which results m harm 



3.1.5 
risk 

combination of the probability of occurrence of harm and the severity of that harm 

[iSO/lEC Guide 5l 1990 (modifieO); 

NOTE - For more discussion on this conceo! see annex A of iEC 61508-5 

3.1.6 
tolerable risk 

risk which is accepted in a given context based on the current values of society 

NOTE - See annex 8 of lEC 61508-5 
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3.1.7 
residual risk 

risk remaining after protective measures have been taken 

3.1.8 
safety 

freedom from unacceptable risk 

3.1.9 
functional safety 

part of the overall safety relating to the EUC and the EUC control system which depends on the 
correct functioning of the E/E/PE safety-related systems, other technology safety-related 
systems and external risk reduction facilities 

3.1.10 
safe state 

state of the EUC when safety is achieved 

NOTE - In going from a potenhaliy hazardous condiiion to me tmal safe slalc. the EUC may nave to go through a 
number of intermediate sale states For some Situations a sate slate exists only so long as the tUC is conlirjuously 
controlled Such continuous control may De for a short or an mdelimte period of time 

3.1.11 

reasonably foreseeable misuse 

use of a product, process or service under conditions or for purposes not intended by the 
supplier, but which can happen, induced by the product, process or service m combination with, 
or as a result of. common human behaviour 

3.2 Equipment and devices 

3.2.1 
functional unit 

entity of hardware or software, or both, capable of accomplishing a specified purpose 

NOTE ~ In lEV 191-01-01 the more general term item" ;s used m place of functional unit An item may sometimes 
include people 

[ISO/IEC 2382-14-01-01] 

3.2.2 
software 

intellectual creation comprising the programs, procedures, data, rules and any associated 
documentation pertaining to the operation of a data processing system 

NOTE 1 - Software is independent of the medium on which it is recorded 

NOTE 2 - This definition without note 1 differs from ISO 2382-1, and the full definition differs from ISO 9000 3 by 
the addition of the word data 

3.2.3 

equipment under control (EUC) 

equipment, machinery, apparatus or plant used for manufacturmg, process, transportation, 

medical or other activities 

NOTE - The EUC control system is separate and distinct from the EUC 
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3.2.4 
EUC risk 

risk arising from the EUC or its interaction with the EUC control system 

NOTE 1 - The nsk m ih,s context ,s that associated with the specific hazardous event in which E/E/PE safety- 
related systems other technology safety-related systems and external risk reduction facilities are to be used to 
provide the necessary nsK reduction, (i e the risk associated with functional safety) 

NOTE 2 - The EUC nsk is indicated in figure A 1 of lEC 61508-5 The mam purpose of determining the EUC nsk is 
to establish a reference point for the nsk without taking into account E/E/PE safety-related systems, other 
technology safety-related systems and external nsk reduction facilities 
NOTE 3 - Assessment of this risk will include associated human factor issues. 

3.2.5 

programmable electronic (PE) 

based on computer technology which may be comprised of hardware, software, and of input 
and/or output units 

NOTE - This term covers microelectronic devices based on one or more central processing units (CPUs) together 

with associated memories etc 

EXAIV1PLE The following are all programmable electronic devices 

microprocessors 

micro-controllers, 

programmable controllers. 

application specific integrated circuits (ASlCs) 

- programmable logic controllers (PLCs). 

- other computer-based devices (for example smart sensors, transmitters, actuators). 

3.2.6 

eiectrical/electronic/programmable electronic (E/E/PE) 

based on electrical (E) and/or electronic (E) and/or programmable electronic (PE) technology 

NOTE - The term is intended to cover any and all devices or systems operating on electrical principles. 
EXAMPLE Eiectrical/eiectronic/programmable electronic devices include 

- electro-mechanical devices (electrical) 

- solid-state non-programmable electronic devices (electronic); 

- electronic devices based on computer technology (programmable electronic); see 3 2 5 

3.2.7 

limited variability language 

software programming language, either textual or graphical, for commercial and industrial 
programmable electronic controllers with a range of capabilities limited to their application 

EXAMPLE The following are limited variability languages, from lEC 61131-3 and other sources, which are used to 

represent the application program for a PLC system 

- ladder diagram a graphical language consisting of a series of input symbols (representing behaviour similar to 
devices such as normally open and normally closed contacts) interconnected by lines (to indicate the flow of 
current) to output symbols (representing behaviour similar to relays); 

- Boolean algebra a lowlevei language based on Boolean operators such as AND, OR and NOT with the ability 
to add some mnemonic instructions 

- function block diagram m addilior^ to Boolean operators, allows the use of more complex functions such as data 
transfer f'le. block transfer reao'write snift register and sequencer instructions; 

- sequential function chart a graphical representation of a sequential program consisting of interconnected steps, 

act ons and directed imks with transition conditions 
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3.3 Systems: general aspects 

3.3.1 
system 

set of elements which interact according to a design, where an element of a system can be 
another system, called a subsystem, which may be a controlling system or a controlled system 
and may include hardware, software and human interaction 

NOTE 1 - A person can be part of a system (see also note 5 of 3 4 l) 

NOTE 2 - This definition differs from lEV 351 -01 01 

3.3.2 

programmable electronic system (PES) 

system for control, protection or monitoring based on one or more programmable electronic 
devices, including all elements of the system such as power supplies, sensors and other input 
devices, data highways and other communication paths, and actuators and other output 
devices (see figure 2) 

NOTE - Thie structure of a PES is shown in figure 2 a) Figure 2 b) illustrates the way in which a PES is represent- 
ed in this International Standard, with the programmable electronics shown as a unit distinct from sensors and 
actuators on the EUC and their interfaces, but the programmable electronics could exist at several places in the 
PES Figure 2 c) illustrates a PES with two discrete units of programmable electronics. Figure 2 d) illustrates a PES 
with dual programmable electronics (i e two-channel) but with a single sensor and a single actuator 

3.3.3 

electrical/electronic/programmable electronic system (E/E/PES) 

system for control, protection or monitoring based on one or more electrical/electronic 
programmable electronic (E/E/PE) devices, including all elements of the system such as power 
supplies, sensors and other input devices, data highways and other communication paths, and 
actuators and other output devices (see figure 3) 

3.3.4 

EUC control system 

system which responds to input signals from the process and/or from an operator and 
generates output signals causing the EUC to operate in the desired manner 

NOTE - The EUC control system includes input devices and final elements 

3.3.5 
architecture 

specific configuration of hardware and software elements m a system 

3.3.6 
module 

routine, discrete component or a functional set of encapsulated routines or discrete 
components belonging together 

3.3.7 

software module 

construct that consists of procedures and/or data declarations and that can also interact with 

other such constructs 



m 

I 
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Extent 
of PES 



Input interfaces 
A-D converters 



I 



t 



Input devices 
(for example sensors) 



Communications 



Programmable 
electronics 
(see note) 



Output interfaces 
D-A converters 



I 



t 



a) Basic PES structure 



Output devices/Tina! elements j 
(for example actuators) ! 



H PE H 



b) Single PES with single program- 
mable electronic device (i.e. one PES 
comprised of a single channel of 
programmable electronics) 



H PEi I — I PE? H 



c) Single PES with dual program- 
mable electronic devices linked in a 
serial manner (for example intelligent 
sensor and programmable controller) 



H PEi 



d) Single PES with dual program- 
mable electronic devices but with 

shared sensors and final elements (i.e. 

one PES comprised of two channels 
of programmable electronics) 



NOTE - The programmable electronics are shown centrally located but could exist at several places in the PES. 
Figure 2 — Programniable electronic system (PES): structure and terminology 



Extent of 
E/E/PES 



Input interfaces 
A-D converters 



Communications 



E/E/PE device 



Output interfaces 
D-A converters 



I 



Input devices 
(for example sensors) 



Output devices/ 

final elements 

(for example actuators); 



NOTE - THE E/E/PE device is shown centrally located but such device(s) could exist at several places in the E/E/PES. 

Figure 3 — Electrical/electronic/programmable electronic system (E/E/PES): 

structure and terminology 
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3.3.8 
channel 

element or group of elements that independently perform(s) a function 

EXAMPLE A two-channel (or dual-channel) configuration is one with two channels that independently perform the 
same function. 

NOTE 1 - The elements within a channel could Include input/output modules, a logic system (see 3 4.5), sensors 
and final elements. 

NOTE 2 - The term can be used to describe a complete system, or a portion of a system (for example, sensors or 
final elements). 

3.3.9 
diversity 

different means of performing a required function 

EXAMPLE Diversity may be achieved by different physical methods or different design approaches 

3.3.10 
redundancy 

existence of means, in addition to the means which would be sufficient for a functional unit to 
perform a required function or for data to represent information 

EXAMPLE Duplicated functional components and the addition of parity bits are both instances of redundancy 

NOTE 1 - Redundancy is used primarily to improve reliability or availability. 

NOTE 2 - The definition in lEV 191-15-01 is less complete. 

[ISO/IEC 2382-14-01-12] 

3.4 Systems: safety-related aspects 

3.4.1 

safety-related system 

designated system that both 

- implements the required safety functions necessary to achieve or maintain a safe state for 
the EUC; and 

- is intended to achieve, on its own or with other E/E/PE safety-related systems, other 
technology safety-related systems or external risk reduction facilities, the necessary safely 
integrity for the required safety functions 

NOTE 1 - The term refers to those systems, designated as safety-related systems, that are intended to achieve, 
together with the external risk reduction facilities (see 3 4.3), the necessary risk reduction in order to meet the 
required tolerable risk (see 3 1.6). See also annex A of lEC 61508-5. 

NOTE 2 - The safety- related systems are designed to prevent the EUC from going into a dangerous state by taking 
appropriate action on receipt of commands. The failure of a safety-related system would be included m the events 
leading to the determined hazard or hazards. Although there may be other systems having safety functions, it is the 
safety-related systems that have been designated to achieve, in their own right, the required tolerable risk Safety- 
related systems can broadly be divided into safety-related control systems and safety-related protection systems, 
and have two modes of operation (see 3.5 12). 

NOTE 3 - Safety- related systems may be an integral part of the EUC control system or may interface with the EUC 
by sensors and/or actuators. That is, the required safety integrity level may be achieved by implementing the safety 
functions in the EUC control system (and possibly by additional separate and independent systems as well) or the 
safety functions may be implemented by separate and independent systems dedicated to safety 

NOTE 4 - A safety-related system may 

a) be designed to prevent the hazardous event (i.e. if the safety-related systems perform their safety functions 
then no hazardous event arises); 

b) be designed to mitigate the effects of the hazardous event, thereby reducing the risk by reducing the 
consequences, 

c) be designed to achieve a combination of a) and b) 
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NOTE 5 - A person can be part of a safety-related system (see 3.3.1) For example, a person could receive 
information from a programmable electronic device and perform a safety action based on this information, or 
perform a safety action through a programmable electronic device 

NOTE 6 - The term includes all the hardware, software and supporting services (for example, power supplies) 
necessary to carry out the specified safety function (sensors, other input devices, final elements (actuators) and 
other output devices are therefore included in the safety-related system) 

NOTE 7 - A safety-related system may be based on a wide range of technologies including electrical, electronic, 
programmable electronic, hydraulic and pneumatic 

3.4.2 

Other technology safety-related system 

safety-related system based on a technology other than electrical/electronic/programmable 
electronic 

EXAMPLE A relief valve is another technology safety-related system 

3.4.3 

external risk reduction facility 

measure to reduce or mitigate the risks which are separate and distinct from, and do not use, 
E/E/PE safety-related systems or other technology safety-related systems 

EXAMPLE A dram system, a fire wall and a bund are all external risk reduction facilities. 

3.4.4 

low complexity E/E/PE safety-related system 

E/E/PE safety-related system (see 3.2.6 and 3.4.1), in which 

- the failure modes of each individual component are well defined; 

- the behaviour of the system under fault conditions can be completely determined. 

NOTE - Behaviour of the system under fault conditions may be determined by analytical and/or test methods. 

EXAMPLE A system comprising one or more limit switches, operating, possibly via interposing electro-mechanical 
relays, one or more contactors to de-energise an electric motor is a low-complexity E/E/PE safety-related system. 

3.4.5 

logic system 

portion of a system that performs the function logic but excludes the sensors and final 
elements 

NOTE - In this standard the following logic systems are used: 
electrical logic systems for electro-mechanical technology: 

- electronic logic systems for electronic technology, 

- programmable electronic logic systems for programmable electronic systems 

3.5 Safety functions and safety integrity 

3.5.1 

safety function 

function to be implemented by an E/E/PE safety-related system, other technology safety- 
related system or external risk reduction facilities, which is intended to achieve or maintain a 
safe state for the EUC, in respect of a specific hazardous event (see 3.4.1) 

3.5.2 

safety integrity 

probability of a safety-related system satisfactorily performing the required safety functions 
under all the stated conditions within a stated period of time 

NOTE 1 - The higher the level of safety integrity of the safety-related systems, the lower the probability that the 
safety-related systems will fail to carry out the required safety functions. 

NOTE 2 - There are four levels of safety integrity for systems (see 3 5 6) 
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NOTE 3 - In determrning salely integrity, all causes ol failures (both random hardware failures and systematic 
failures) which lead to an unsafe state should be included lor example hardware failures, software induced failures 
and failures due to electrical interference Some of these types of failure, m particular random hardware failures, 
may be quantified using such measures as the failure rate m the dangerous mode of failure or the probability of a 
safety- related protection system failing to operate on demand However the safety integrity of a system also 
depends on many factors which cannot be accurately quantified but can only be considered qualitatively 

NOTE 4 - Safety integrity comprises hardware safety integrity (see 3 5 S) and systematic safety integrity (see 
3.5.4) 

NOTE 5 - This definition focuses on the reliability of the safety-related systems to perform the safety functions (see 
lEV 191-12-01 for a definition of reliability) 

3.5.3 

software safety integrity 

measure that signifies the likelihood of software in a programmable electronic system 
achieving its safety functions under all stated conditions within a stated period of time 

3.5.4 

systematic safety integrity 

part of the safety integrity of safety-related systems relating to systematic failures (see note 3 
of 3.5.2) in a dangerous mode of failure 

NOTE 1 - Systematic safety integrity cannot usually be quantified (as distinct from hardware safety integrity which 
usually can). 

NOTE 2 - See 3 5 2 3 5 5 and 3 6 6 

3.5.5 

hardware safety integrity 

part of the safety integrity of the safety-related systems relating to random hardware failures m 
a dangerous mode of failure 

NOTE 1 - The term relates to failures in a dangerous mode, thai is, those failures of a safety-related system that 
would impair its safety integrity The two parameters that are relevant in this context are the overall dangerous 
failure rate and the probability ol failure to operate on demand The former reliability parameter is used when it is 
necessary to maintain continuous control m order to maintain safety, the latter reliability parameter is used in the 
context of safety-related protection systems 

NOTE 2 - See 3 5 2. 3 5 4 and 3 6 6 

3.5.6 

safety integrity level (SIL) 

discrete level (one out of a possible four) for specifying the safety integrity requirements of the 
safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity 
level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest 

NOTE - The target failure measures (see 3 5 13) for the lour safety integrity levels are specified m tables 2 and 3 
of lEC 61508-1- 

3.5.7 

software safety integrity level 

discrete level (one out of a possible four) for specifying the safety integrity of software in a 
safety-related system 

NOTE - See 3 5 3 and 3 5 6. 

3.5.8 

safety requirements specification 

specification containing all the requirements of the safety functions that have to be performed 
by the safety-related systems 

NOTE - Tnis speci'ication is v:oed f.o '.i^e 

- safety fuict o'-s requ^re'^e'^ts soec^fcation isee 3 5 9). 

- safety iteg'ity ^ea-. re'^e'-'s spec' cat. on (see 3 5 10| 
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3.5.9 

safety functions requirements specification 

specification containing the requirements for the safety functions that have to be performed by 
the safety-related systems 

NOTE 1 - This specification is one part (the safety functions part) of the safety requirements specification (see 

3.5 8) and contains the precise details of the safety functions that have to be performed by the safety-related 

systems 

NOTE 2 - Specifications may be documented in text, flow diagrams, matrices, logic diagrams, etc., providing that 

the safety functions are clearly conveyed. 

3.5.10 

safety integrity requirements specification 

specification containing the safety integrity requirements of the safety functions that have to be 
performed by the safety-related systems 

NOTE - This specification is one part (the safety integrity part) of the safety requirements specification (see 3.5.8). 

3.5.11 

safety-related software 

software that is used to implement safety functions in a safety-related system 

3.5.12 

mode of operation 

way in which a safety-related system is intended to be used, with respect to the frequency of 
demands made upon it. which may be either 

- low demand mode: where the frequency of demands for operation made on a safety- 
related system is no greater than one per year and no greater than twice the proof-test 
frequency; 

- high demand or continuous mode: where the frequency of demands for operation made 
on a safety-related system is greater than one per year or greater than twice the proof- 
check frequency 

NOTE 1 - High demand or continuous mode covers those safety-related systems which implement continuous 
control to maintain functional safety 

NOTE 2 - The target failure measures for safety-related systems operating in low demand mode and high demand 
or continuous mode are defined in 3 5 13. 

3.5.13 

target failure measure 

intended probability of dangerous mode failures to be achieved in respect of the safety integrity 

requirements, specified in terms of either 

- the average probability of failure to perform the design function on demand (for a low 
demand mode of operation); 

- the probability of a dangerous failure per hour (for a high demand or continuous mode of 
operation) 

NOTE - The numerical values for the target failure measures are given in tables 2 and 3 of lEC 61508-1 . 

3.5.14 

necessary risk reduction 

risk reduction to be achieved by the E/E/PE safety-related systems, other technology safety- 
related systems and external risk reduction facilities in order to ensure that the tolerable risk is 
not exceeded 
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3.6 Fault, failure and error 

3.6.1 
fault 

abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit 
to perform a required function 

NOTE - lEV 191-05-01 defines ■fault" as a state characterised by the inability to perform a required function, 
excluding the inability during preventative nnamtenance or other planned actions or due to lack ol external 
resources See figure 4 for an illustration of these two points of view 

[ISO/IEC 2382-14-01-10] 

3.6.2 

fault avoidance 

use of techniques and procedures which aim to avoid the introduction of faults during any 
phase of the safety lifecycle of tha safety-related system 

3.6.3 

fault tolerance 

ability of a functional unit to continue to perform a required function in the presence of faults or 
errors 

NOTE - The definition in lEV 191 -1505 refers only to sub-item faults See the note for the term fault m 3 6 i 

[ISO/IEC 2382 14-04 06; 

3.6.4 
failure 

termination of the ability of a functional unit to perform a required function 

NOTE 1 - The defmihon in lEV 191 04 01 is the same with additional notes 

(ISO/IEC 2382-14-01-11] 

NOTE 2 - See figure 4 for the relationship between faults and failures, both in lEC 61508 and lEV 50(191) 

NOTE 3 - Performance of required functions necessarily excludes certain behaviour, and some functions may be 
specified in terms ol behaviour to be avoided The occurrence of such behaviour is a failure 

NOTE 4 - Failures are either random (in hardware) or systematic (m hardware or software), see 3 6 5 and 3 6 6 

3.6.5 

random hardware failure 

failure, occurring at a random time, which results from one or more of the possible degradation 
mechanisms in the hardware 

NOTE 1 - There are many degradation mechanisms occurring at different rates in different components and, since 
manufacturing tolerances cause components to fail due to these mechanisms after different times in operation, 
failures ol equipment comprising many components occur at predictable rates but at unpredictable (i e random) 
limes, 

NOTE 2 - A major distinguishing feature between random hardware failures and systematic failures (see 3 6 6) is 
Ihal system failure rates (or other appropriate measures) arising from random hardware failures, can be predicted 
with reasonable accuracy but systematic liilures. by their very nature, cannot be accurately predicted That is 
system failure rates arising from random hardware failures can be quantified with reasonable accuracy but those 
arising from systematic failures cannot be accurately statistically quantified because the events leading to them 
cannot easily be predicted 
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c) From the point of view of lEC 6150B and ISO/IEC 2382-14 



d) From the point of view of lEC 60050(191 ) 



NOTE 1 - As shown in a), a functional unit can be viewed as a hierarchical composition of multiple levels, each of 
which can m turn be called a functional unit In level (i). a "cause" may manifest itself as an error (a deviation from 
the correct value or state) within this level (/) functional unit, and, if not corrected or circumvented, may cause a 
failure of this functional unit, as a result of which It falls into an "F" state where it is no longer able to perform a 
required function (see b)). This "F" state of the level (I) functional unit may in turn manifest itself as an error in the 
level (/-I) functional unit and, if not corrected or circumvented, may cause a failure of this level (/-I) functional unit. 

NOTE 2 - In this cause and effect chain, the same thing ("Entity X') can be viewed as a state ("F" state) of the level (/) 
functional unit into which it has fallen as a result of its failure, and also as the cause of the failure of the level (/-I) 
functional unit This "Entity X" combines the concept of "fault" in lEC 61508 and ISO/IEC 2382-14, which 
emphasizes its cause aspect as illustrated in c), and that of "fault" in lEC 60050(191), which emphasizes its state 
aspect as illustrated in d). The "F" state is called fault in lEC 60050(191), whereas it is not defined in lEC 61508 
and ISO/IEC 2382-14 

NOTE 3 - In some cases, a failure or an error may be caused by an external event such as lightning or electrostatic 
noise, rather than by an internal fault Likewise, a fault (in both vocabularies) may exist without a prior failure. An 
example of such a fault is a design fault. 

Figure 4 - Failure model 

3.6.6 

systematic failure 

failure related in a deterministic way to a certain cause, which can only be eliminated by a 
modification of the design or of the manufacturing process, operational procedures, documen- 
tation or other relevant factors 

NOTE 1 - Corrective maintenance without modification will usually not eliminate the failure cause. 
NOTE 2 - A systematic failure can be induced by simulating the failure cause 
[lE-V 191-04-191 
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NOTE 3 - Examples of causes o( systematic failures mciude fiuman error m 

- ine safety requirements specification. 

- the design, manufacture, installation, operation of the narOware 

- the design, implementation, etc of the software 

NOTE 4 - In this standard failures in a safety-related system are categori/ed as random hardware failures or 
systematic failures (see 3 6 4 and 3 6 5) 

3.6.7 

dangerous failure 

failure which has the potential to put the safety-related system m a hazardous or fail-to-function state 

NOTE - Whether or not the potential is realised may depend on tne channel archiiecturc of the system m systems 
with multiple channels to improve safely a dangerous hardware failure is loss hkely to lead to the overall dangerous 
or fail-to-function state 

3.6.8 

safe failure 

failure which does not have the poteritial to put the safety-related system in a hazardous or tail- 
to-function state 

NOTE - Whether or not the potential is realised may depend on the channel architecture of ihe system m systems 
with multiple channels lo improve safely a safe hardvuare failure is less iikeiy to result m an erroneous shut down 

3.6.9 

dependent failure 

failure whose probability cannot be expressed as the simple product of the unconditional 
probabilities of the individual events which caused it 

NOTE - Two events A and B are dependent where P[/] is the prooauilily of event / only il 

P(A and B) ■> PlA) x P(B) 

3.6.10 

common cause failure 

failure, which is the result of one or more events, causing coincident failures of two or more 
separate channels m a multiple channel system, leading to system failure 

3.6.11 
error 

discrepancy between a computed, observed or measured value or condition and the true, 
specified or theoretically correct value or condition 
NOTE - Adapted from lEV 191-05-24 by excluding the notes 

3.6.12 

human error 
mistake 

human action or inaction that can produce an unintended result 

[ISO/IEC 2382-14-01-09] 

NOTE - Adapted from lEV 191-05 25 by the addition ol or inaction" 

3.7 Lifecycle activities 

3.7.1 

safety lifecycle 

necessary activities involved in the implementation of safety-related systems, occurring during 
a period of time that starts at the concept phase of a project and finishes when all of the 
E/E/PE safety-related systems, other technology safety-related systems and external risk 
reduction facilities are no longer available for use 

NOTE 1 - The term 'functional safety lifecycle" is strictly more accurate but the adjective "functional" is not 
considered necessary in this case withm the context of this standard 

NOTE 2 - The safety lifecycle models used m this standard are specified m figures 2. 3 and 4 of lEC 61508 i 
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3.7.2 

software lifecycle 

activities occurring during a period of time that starts when software is conceived and ends 
when the software is permanently disused 

NOTE 1 A software lilecyde typically includes a requirements phase, development phase, test phase, integration 
phase installation phase and a modification phase 

NOTE 2 - Software is not capable of being maintained, rather, it is modified, 

3.7.3 

configuration management 

discipline of identifying the components of an evolving system for the purposes of controlling 
changes to those components and maintaining continuity and traceability throughout the 
lifecycle 

NOTE - For details on software configuration management see C.5-24 of lEC 61508-7, 

3.7.4 

impact analysis 

activity of determining the effect that a change to a function or component in a system will have 
to other functions or components in that system as well as to other systems 

NOTE - In the context of software, see C.5-23 of lEC 61508-7. 

3.8 Confirmation of safety measures 

3.8.1 
verification 

confirmation by examination and provision of objective evidence that the requirements have 
been fulfilled 

NOTE 1 - Adapted from iSO 8402 by excluding the notes 

NOTE 2 - In the context of this standard, verification is the activity of demonstrating for each phase of the relevant 
safety lifecycle (overall. E/E/PES and software), by analysis and/or tests, that, for the specific inputs, the 
deliverables meet m all respects the objectives and requirements set for the specific phase. 

EXAIWPLE Verification activities include 

- reviews on outputs (documents from all phases of the safety lifecycle) to ensure compliance with the objectives 
and requirements of the phase, taking into account the specific inputs to that phase; 

design reviews: 

- tests performed on the designed products to ensure that they perform according to their specification; 

- integration tests performed where different parts of a system are put together in a step-by-step manner and by 
the performance of environmental tests to ensure that all the parts work together in the specified manner 

3.8.2 
validation 

confirmation by examination and provision of objective evidence that the particular require- 
ments for a specific intended use are fulfilled 

fMOTE ' - Adapted from iSO 8402 by excluding the notes. 

NOTE 2 - !n this standard there are three validation phases 

- ove'ai safety vai aation (see figure 2 of lEC 61508-1); 

- EE'CES vaiioation (see figure 3 cf !EC 61508-1): 

- software validation (see figure 4 o' lEC 61508-1), 

NOTE 3 - Vaioat^or s tne activity of demonstrating that the sa'ety-related system under consideration, before or 
after installation meets m an respects the safety requirements specification for that safety-related system 
■^nere'ore fo- examp e, software va lOation means confirming by examination and provision of objective evidence 
inat tne software satisfies the software safety requirements specification. 
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3.8.3 

functional safety assessment 

investigation, based on evidence, to judge the functional safety achieved by one or more 
E/E/PE safety-related systems, other technology safety-related systems or external risk 
reduction facilities 

3.8.4 

functional safety audit 

systematic and independent examination to determine whether the procedures specific to the 
functional safety requirements to comply with the planned arrangements are implemented 
effectively and are suitable to achieve the specified objectives 

NOTE - A functional safety audit may be carried out as part of a functional safety assessment. 

3.8.5 
proof test 

periodic test performed to detect failures in a safety-related system so that, if necessary, the 
system can be restored to an "as new " condition or as close as practical to this condition 

NOTE - The effectiveness of the proof test will be dependent upon how close to the "as new" condition the system 
is restored. For the proof test to be fully effective, it will be necessary to detect 100 % of all dangerous failures 
Although in practice 100 °o is not easily achieved for other than low-complexity E/E/PE safely-related systems, this 
should be the target As a minimum, all the safety functions which are executed are checked according to the 
E/E/PES safety requirements specification. If separate channels are used, these tests are done for each channel 
separately. 

3.8.6 

diagnostic coverage 

fractional decrease in the probability of dangerous hardware failure resulting from the operation 
of the automatic diagnostic tests 

NOTE 1 - The definition may also tje represented in terms of the following equation, where DC is the diagnostic 
coverage. A^q is the probability of delected dangerous failures and A,o,a! is the probability of total dangerous 
failures: 

DC 



IK 



NOTE 2 - Diagnostic coverage may exist for the whole or parts of a safety-related system For example diagnostic 
coverage may exist for sensors and/or logic system and/or final elements. 

NOTE 3 - The term safe diagnostic coverage, or diagnostic coverage including sate failures, is used to descnbe 
respectively the fractional decrease in the probability of safe hardware failure, or of both safe and dangerous 
hardware failures, resulting from the operation of the automatic diagnostic tests 

3.8.7 

diagnostic test interval 

interval between on-line tests to detect faults in a safety-related system that have a specified 
diagnostic coverage 

3.8.8 
detected 

revealed 

overt 

in relation to hardware, defected by the diagnostic tests, proof tests, operator intervention (for 

example physical inspection and manual tests), or through normal operation 

EXAMPLE These adjectives are used in detected fault and detected failure 
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3.8.9 
undetected 

unrevealed 

covert 

in relation to hardware, undetected by the diagnostic tests, proof tests, operator intervention 

(for example physical inspection and manual tests), or through normal operation 

EXAMPLE These adjectives are used in undetected fault and undetected failure. 

3.8.10 
independent person 

person who is separate and distinct from the activities which take place during the specific 
phase of the overall, E/E/PES or software safety lifecycle that is subject to the functional safety 
assessment or validation, and does not have direct responsibility for those activities 

3.8.11 

independent department 

department which is separate and distinct from the departments responsible for the activities 
which take place during the specific phase of the overall, E/E/PES or software safety lifecycle 
that is subject to the functional safety assessment or validation 

3.8.12 

independent organisation 

organisation which is separate and distinct, by management and other resources, from the 
organisations responsible for the activities which take place during the specific phase of the 
overall, E/E/PES or software safety lifecycle that is subject to the functional safety assessment 
or validation 

3.8.13 
animation 

simulated operation of the software system (or of some significant portion of the system) to 
display significant aspects of the behaviour of the system, for instance applied to a 
requirements specification in an appropriate format or an appropriate high-level representation 
of the system design 

NOTE - Animation can give extra confidence that the system meets the real requirements because It improves 
human recognition of the specified behaviour 

3.8.14 
dynamic testing 

executing software and/or operating hardware in a controlled and systematic way, so as to 
demonstrate the presence of the required behaviour and the absence of unwanted behaviour 

NOTE - Dynamic testing contrasts with static analysis, which does not require the software to be executed 

3.8.15 

test harness 

facility that is capable of simulating (to some useful degree) the operating environment of 
software or hardware under development, by applying test cases to the software and recording 
the response 

NOTE - The test harness may also include test case generators and facilities to verify the test results (either 
automatically against values that are accepted as correct or by manual analysis). 
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